In recent years, malicious programmers have created a variety of sophisticated targeted attacks aimed at high-profile or high-level entities, such as governments, corporations, political organizations, defense contractors, or the like. In many cases, the goal of such targeted attacks is to gain access to highly sensitive or confidential information, such as security credentials, financial information, defense-related information, and/or intellectual property (e.g., source code), and/or to simply disrupt an entity's operations.
Many security software companies attempt to combat targeted attacks by creating and deploying malware signatures (e.g., hash functions that uniquely identify known malware) to their customers on a regular basis. However, a significant number of the above-mentioned attacks involve malware that has been carefully crafted to take advantage of an as-yet-undiscovered vulnerability of a particular application (commonly known as a “zero-day” exploit). As such, these attacks are often difficult for traditional security software to detect and/or neutralize since the exploits in question have yet to be publicly discovered. Moreover, in addition to malware, many targeted attacks may perform malicious activities using benign software and/or the actions of authorized users, which are generally not detected by typical malware signatures.
In addition to or as an alternative to a signature-based approach, some security software companies may apply a variety of behavior-based heuristics to detect targeted attacks. Unfortunately, a significant number of targeted attacks (e.g., advanced persistent threats) may move at a slow pace such that traditional security software may be unable to distinguish individual malicious behaviors of the targeted attacks from legitimate behaviors.
After detecting an attack on a computing system, traditional security software may recommend various procedures for remediating the effects of the attack on the computing system. In some instances, traditional security software may generate procedures for remediating predicted effects of an attack by (1) analyzing the impact of malware used in the attack on an isolated computing system purposely built for analyzing malware and (2) generating procedures for reversing the impact of the malware.
Unfortunately, remediation procedures generated in this way may have limited utility for at least the reason that (1) targeted attacks may involve more than just malware and (2) computing environments purposely built for analyzing malware may not adequately represent live production computing systems (e.g., many targeted attacks may span many uniquely-configured computing devices). As a result, traditional security software may fail to analyze and remediate the global impact of an attack on a computing system, especially an attack that involves human-driven behaviors from undetected benign and/or malicious software spread across many computing devices within a victim's computing system. Accordingly, the instant disclosure identifies and addresses a need for systems and methods for using event-correlation graphs to generate remediation procedures.